|
Information System =
Security: How=20
Much is Enough?
Lawrence Troffer
August 21,=20
2000
Two generally accepted notions of =
information=20
system security are that it is expensive, and that a =
system’s usefulness=20
is inversely proportional to its degree of security. Senior =
policy- and=20
decision-makers face a daunting challenge in determining "how much =
security". Adding layer after layer of security measures can =
become=20
unaffordable, in terms of direct and indirect costs and =
diminishing=20
utility of the information system. Further, a haphazard =
application of=20
security measures may leave critical vulnerabilities exposed, or =
result in=20
unnecessary protection being applied.
In the development of systems of =
any type, good=20
systems engineering practice calls for a thorough requirement =
analysis and=20
a process to trace requirements throughout system development in =
order to=20
ensure that the final product meets the original need. In the =
field of=20
information system security, the equivalent of the requirement =
analysis is=20
a risk assessment. When established in policy as a =
specified=20
methodology tailored to an organization’s needs, it serves =
multiple=20
purposes. It can be a disciplined, repeatable process for =
identifying=20
security needs. It forms a basis for subsequent security review =
during the=20
lifecycle of an information system. It can aid management in =
making=20
decisions on expenditures, and also assist the security =
professional by=20
presenting sound justification to management for particular =
measures. The=20
ideal outcome obviously, would be to implement sufficient =
security, yet no=20
more security than is affordable and whose cost is properly=20
justified.
The Department of Defense and the =
armed=20
services within it have established extensive policies regarding=20
information system security. A part of those policies is the =
Defense=20
Information Technology Security Certification and Accreditation =
Process=20
(DITSCAP), a deliberate process that leads to an appropriate level =
of=20
security certification and finally accreditation by a Designated =
Approving=20
Authority (DAA). The final accreditation is a part of the =
"building=20
permit" required prior to installation or modification of an =
information=20
system. The DITSCAP applies to all information systems, whether =
classified=20
or unclassified, and is tailored to each system according to the=20
sensitivity of the information it processes.
When security measures are applied =
to a system,=20
there is always some remaining, or residual, risk. For example, =
although a=20
well-designed firewall provides significant protection to a =
network, there=20
is still risk of insider attacks or data-driven attacks being =
introduced=20
via legitimate access protocols. Accreditation by the DAA implies =
that the=20
DAA has reviewed the system’s security posture, and deems =
any residual=20
risk as acceptable. The DITSCAP prescribes a Risk Assessment as =
the basis=20
for identifying appropriate and effective security measures and =
for aiding=20
the DAA in determining the residual risk. Specific risk assessment =
methodologies are numerous and almost always tailored to the =
system under=20
consideration. The remainder of this paper discusses one=20
approach.
Risk Assessment =
101.
The elements of a good risk =
assessment include:=20
- Business or operational =
assessment=20
- Asset valuation=20
- Threat assessment=20
- Vulnerability assessment=20
- Risk analysis=20
- Countermeasure assessment and=20
implementation=20
- Test
The business or operational =
assessment=20
is done to gain an understanding of the people, systems and =
processes of=20
an organization, and an estimate of the external environment in =
which they=20
operate. It provides necessary context for the remainder of the =
risk=20
assessment. It provides insight that will be needed later in the =
process=20
for making decisions.
The asset valuation consists =
of=20
identifying assets and assigning each a value. The effort requires =
some=20
thought, because the term, "asset", means more than physical items =
like=20
computers or network infrastructure. Intellectual property, =
proprietary=20
information and professional reputation are less tangible, but are =
assets=20
nonetheless, and are vulnerable to various security problems. =
Also, an=20
organization’s assets may have value to others outside the =
organization,=20
which should perhaps be considered in this process. The analysis =
may be=20
quantitative or qualitative or both. For example, real property =
has a=20
clear monetary cost associated. The value of professional =
reputation is=20
much harder to quantify. However, in order to make subsequent =
decisions on=20
the basis of cost-benefit tradeoffs, some kind of cost or weight =
that=20
indicates the consequences of losing each asset is =
required.
For purposes of the risk =
assessment, threats=20
are defined as events or circumstances that can harm a system. In =
the=20
threat assessment, all possible threats are first=20
identified. Then the likelihood of each threat is estimated. To be =
thorough, the threat identification should include anything that =
can=20
compromise the confidentiality, integrity or availability of a =
system.=20
That means that fire, theft, natural disaster and others need to =
be=20
considered alongside viruses, network penetration and denial of =
service=20
attacks. The likelihood of some threats may be estimated through=20
historical data, while that of others will be based on experience =
and=20
judgement. The threat likelihood is expressed as a probability =
between 0=20
and 1.
The vulnerability assessment =
is the=20
deliberate examination of the system to determine its weaknesses.=20
Vulnerabilities are deficiencies in design, controls, procedures =
etc. that=20
can be exploited. The vulnerability assessment considers existing =
security=20
countermeasures, and is used to determine which threats are =
carried=20
forward to the next step of the risk assessment. There is clearly =
no need=20
to consider implementing countermeasures for a threat against =
which a=20
system is deemed not vulnerable. It is important however to =
initially list=20
all threats and vulnerabilities for purposes of future review. =
Sources for=20
identifying potential vulnerabilities include:
- Previous vulnerability test and =
audit=20
reports=20
- Interviews with system =
management,=20
operations, and maintenance personnel=20
- Vendor advisory =
information=20
- Computer Incident Response Team =
(CIRT)=20
bulletins=20
- System software security =
analyses=20
- System anomaly reports=20
- Experience on similar =
systems=20
- Security incident =
reports.
Checklist driven, non-technical =
means=20
(observation, demonstration, interview, and document analysis) are =
used to=20
provide information pertinent to the physical, personnel, =
administrative,=20
procedural, and operations security factors of the vulnerability=20
assessment. Technical tools such as network security tools, =
password=20
crackers and war dialers may be employed in internal or external =
attack=20
modes to determine the level of access that a valid user or =
intruder could=20
obtain.
Risk is the combination of the =
probability=20
of a threat, and the resulting impact on assets. The risk=20
analysis is the process of analyzing the threat probabilities =
and=20
resultant consequences from the previous steps of the risk =
assessment. It=20
considers which assets are vulnerable to which threats, and to =
what=20
degree. It is intended to highlight the difference between =
low-value=20
assets vulnerable to low-probability threats versus high-value =
assets=20
vulnerable to high-probability threats, and all combinations in =
between. A=20
simple method: first estimate which assets are vulnerable to which =
threats. Multiply the threat probabilities times the values of the =
assets=20
each threat may effect. This provides a "weight" that is a measure =
of=20
risk.
The countermeasure =
assessment identifies=20
countermeasures that may be required and strikes a balance between =
risk=20
identified in the previous step and the cost of implementing =
specific=20
countermeasures to reduce it. Further, this assessment should help =
determine the sequence in which countermeasures will be =
implemented should=20
time or money preclude simultaneous implementation. It is =
certainly=20
conceivable that the risk analysis and countermeasure assessment =
will show=20
that no additional countermeasures are needed.
Finally, a test is conducted =
to validate=20
the work. The validation testing may repeat some of the activity =
of the=20
vulnerability assessment, but is in no way limited to that. The =
interest=20
is in being thorough, in order to determine risk remaining after=20
application of selected countermeasures.
A thoroughly documented risk =
assessment=20
requires considerable time and effort, but is well worth the =
expense on=20
all but the most trivial networks and systems. It provides facts, =
rather=20
than guesses, regarding specific security measures to be =
implemented for a=20
given system. It provides a complete picture and a common =
understanding to=20
both top level management and the security practitioner and =
enables sound=20
decisions regarding cost, system utility and adequate =
security.
References
- "An Introduction to Computer =
Security: The=20
NIST Handbook". July 2, 1996. http://csrc.ncsl.nist.=
gov/nistpubs/800-12=20
(23 June 2000).=20
- "Defense Information Technology =
Security=20
Certification and Accreditation Process". December 30, 1997. http://web7.whs.osd.mi=
l/text/i520040p.txt=20
(26 June 2000)=20
- "Introduction to Certification =
and=20
Accreditation Concepts". January 1994. h=
ttp://www.radium.ncsc.mil/pep/library/rainbow/ncsc-tg-029.txt=20
(27 June 2000).
|
|
